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DETAILED ACTION 

Response to Amendment 

1 . This action is in response to the amendment received on April 4, 2008. Claims 

1 -29 were originally received for consideration. Per the received amendment, claims 1 , 
13, and 22 are amended. 

2. Claims 1-29 are currently being considered. 

Response to Arguments 

Applicant's arguments with respect to claims 1-29 have been considered but are 
moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1 -29 are rejected under 35 U.S.C. 1 03(a) as being unpatentable over 
Blaker et al. (U.S. Patent Pub. No. US 2003/00815600 A) in view of Grohoski et al. 
(U.S. Patent Pub. No. US 2004/0225885 A1). 

Regarding claim 1, Blaker discloses: 
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A system for performing security operations on network data, the system 
comprising: 

memory (paragraph 0059, lines 1-3: "output buffer"); 

a data coprocessor configured to transfer data into and out of the memory 
(paragraph 0042, lines 1 -7: crypto-input demux and crypto-output demux); 

a plurality of processors coupled to the memory and to the data coprocessor, 
each processor being configured to perform, in parallel to one another, security 
operations on a portion of the data (paragraph 0037, lines 12-23, paragraph 45, lines 5- 
7: plurality of cryptographic processors in parallel); and 

Blaker does not explicitly disclose a plurality of security coprocessors coupled to 
the memory each security coprocessor being coupled to a respective one of the, 
processors and configured to assist the respective processor in performing security 
operations on the portion of the data, wherein assistance for the respective processor 
comprises execution of at least one algorithm of the at least one security protocol. 
Blaker discloses a plurality of crypto-units (Blaker: paragraph 0043), which perform 
cryptographic operations on the packets transforming the packets in accordance with 
protocols such as IPsec or SSL (Blaker: paragraph 0045). However, Blaker is silent on 
a plurality of security coprocessors coupled to each of these processors. Grohoski 
teaches cryptographic coprocessors which are coupled to the processors which aid in 
the cryptographic processing of a flow by processing packets in parallel (Grohoski: 
paragraphs 0019, 0020). The multiple crypto-units of Blaker could be interpreted as 
one or more processors as is done in Grohoski (Grohoski: paragraph 0022), and each 
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of the these processors can be coupled to a security coprocessor which could include 
one or more crypto-units (Grohoski: paragraph 0022). It would have been obvious to 
one of ordinary skill in the art to use the security co-processor of Grohoski in the system 
of Blaker "to provide improved communication efficiency between the CPU and the 
crypto-coprocessor" (Grohoski: paragraph 0014). 



Claim 2 is rejected as applied above in rejecting claim 1 . Furthermore, Blaker 
discloses: 

The system of claim 1 , wherein each of the plurality of processors comprises: 

logic configured to identify a security association related to the portion of the data 
(paragraph 0042, lines 9-13), wherein an IPSec SPI is evaluated; 

logic configured to filter the portion of the data based on the identified security 
association (paragraph 0042, lines 7-18), wherein the packets are placed in an order 
depending on the type of packet; 

logic configured to divide the portion of the data into fragments and to reassemble 
the fragments into the portion (paragraph 0044, lines 1-5), wherein data is broken up 
into related packets; and 

logic configured to identify a sequence associated with the portion of the data 
(paragraph 9, lines 8-15), wherein a sequence identifier is assigned to each packet 
which determines the order of related packets. 
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Claim 6 is rejected as applied above in rejecting claim 1 . Furthermore, Blaker 
discloses: 

The system of claim 1 , wherein each of the plurality of processors is further 
configured to perform, in parallel to one another, quality-of-service (QoS) operations 
on the portion of the data in coordination with performing the security operations 
(paragraph 0009, lines 16-18, paragraph 0015, lines 3-7), wherein packets are 
ordered based on classification. 

Claim 7 is rejected as applied above in rejecting claim 6. Furthermore, Blaker 
discloses: 

The system of claim 6, wherein each of the plurality of processors comprises: 

logic configured to identify an information flow associated with the data (paragraph 
0010, lines 1-9), wherein flow identifiers are assigned to related packets; 

logic configured to determine a priority of the information flow (paragraph 0015, lines 
1-7), wherein the output of the parallel processors can be controlled based on the 
flow identifier, and 

logic configured to manage the transfer of data into and out of the memory based on 
the priority of the information flow associated with the data (paragraph 0015, lines 1- 
7), wherein the output of the parallel processors can be controlled based on the flow 
identifier. 
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Claim 8 is rejected as applied above in rejecting claim 7. Furthermore, Blaker 
discloses: 

The system of claim 7, comprising at least one of: 

an enqueue coprocessor coupled to the plurality of processors and to the data 
coprocessor, the enqueue coprocessor configured to manage the information flow 
associated with the data external to the system (paragraph 0039, lines 1-12), 
wherein related packets are classified in a flow and are classified as either inbound 
or outbound packets; 

a policy coprocessor configured to assist the plurality of processors in managing the 
transfer of the data into and out of the memory by enforcing policies of the 
information flow associated with the data (paragraph 0057, lines 1-12), wherein an 
output admission policy is used to output packets; and 

a counter coprocessor configured to provide statistics related to the transfer of the 
data into and out of the memory and the enforcing of policies of the information flow 
(paragraph 0015, lines 1-7), wherein the output of the parallel processors can be 
controlled based on the flow identifier. 

Claim 9 is rejected as applied above in rejecting claim 1 . Furthermore, Blaker 
discloses: 

The system of claim 1 , wherein each of the plurality of processors is configured to 
execute programmable instructions for performing the security operations on the 
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portion of the data from a plurality of independent instruction streams, and can 
switch between instruction steams in a single clock cycle (paragraph 0037, lines 1- 
7), wherein the packets are subject to encryption, decryption, and functions 
associated with IPSec or SSL packets. 

Claim 10 is rejected as applied above in rejecting claim 9. Furthermore, Blaker 
discloses: 

The system of claim 9, wherein each of the plurality of security processors includes 
separate queues corresponding to each of the independent instruction streams 
(paragraph 0059, lines 1-4), wherein each crypto-unit has its own output buffer 
(queue). 

Claim 11 is rejected as applied above in rejecting claim 1. Furthermore, Blaker 
discloses: 

The system of claim 1 , wherein each of the plurality of processors comprises: 

logic configured to compress the portion of the data prior to performing the security 
operations when the portion is non-secure data (paragraph 0037, lines 27-36), 
compression processor ; and 

logic configured to decompress the portion of the data after performing the security 
operations when the portion is secure data (paragraph 0037, lines 27-36), 
compression processor. 
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Claim 12 is rejected as applied above in rejecting claim 1 1 . Furthermore, Blaker 
discloses: 

The system of claim 1 1 , wherein each security processor is configured to assist the 
respective processor in compressing and decompressing the portion of the data 
(paragraph 0037, lines 27-36), compression processor. 

Regarding claim 13, Blaker discloses: 

A method for performing security operations on network data, the method 
comprising: 

transferring data into memory (paragraph 0042, lines 1-7: crypto-input demux and 
crypto-output demux); 

performing security operations on respective portions of the data in parallel using a 
plurality of processors (paragraph 0037, lines 12-23, paragraph 45, lines 5-7: plurality 
of cryptographic processors in parallel); 

using a plurality of security coprocessors to assist in performing the security operations 
on the respective portions of the data, each security coprocessor being coupled to a 
respective one of the processors (paragraph 0037, lines 1-20), wherein the crypto-units 
(cryptographic processors) are used to help carry out the cryptographic operations; and 

transferring the operated-on portions of the data out of the memory (paragraph 0042, 
lines 1 -7: crypto-input demux and crypto-output demux). 
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Blaker does not explicitly disclose a plurality of security coprocessors coupled to the 
memory each security coprocessor being coupled to a respective one of the, processors 
and configured to assist the respective processor in performing security operations on 
the portion of the data, wherein assistance for the respective processor comprises 
execution of at least one algorithm of the at least one security protocol. Blaker 
discloses a plurality of crypto-units (Blaker: paragraph 0043), which perform 
cryptographic operations on the packets transforming the packets in accordance with 
protocols such as IPsec or SSL (Blaker: paragraph 0045). However, Blaker is silent on 
a plurality of security coprocessors coupled to each of these processors. Grohoski 
teaches cryptographic coprocessors which are coupled to the processors which aid in 
the cryptographic processing of a flow by processing packets in parallel (Grohoski: 
paragraphs 0019, 0020). The multiple crypto-units of Blaker could be interpreted as 
one or more processors as is done in Grohoski (Grohoski: paragraph 0022), and each 
of the these processors can be coupled to a security coprocessor which could include 
one or more crypto-units (Grohoski: paragraph 0022). It would have been obvious to 
one of ordinary skill in the art to use the security co-processor of Grohoski in the system 
of Blaker "to provide improved communication efficiency between the CPU and the 
crypto-coprocessor" (Grohoski: paragraph 0014). 

Claim 14 is rejected as applied above in rejecting claim 13. Furthermore, Blaker 
discloses: 
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The method of claim 13, wherein the security operations performed by each of the 
processors comprise: 

identifying a security association related to a portion of the data (paragraph 0042, lines 
9-13), wherein an IPSec SPI is evaluated; 

filtering the portion of the data based on the identified security association (paragraph 
0042, lines 7-18), wherein the packets are placed in an order depending on the type of 
packet; 

dividing the portion of the data into fragments (paragraph 0044, lines 1-5), wherein data 
is broken up into related packet; 

reassembling the fragments into the portion of data (paragraph 0044, lines 1-5); and 

identifying a sequence associated with the portion of the data (paragraph 9, lines 8-15), 
wherein a sequence identifier is assigned to each packet which determines the order of 
related packets. 

Claim 17 is rejected as applied above in rejecting claim 13. Furthermore, Blaker 
discloses: 

The method of claim 13, comprising: 

performing quality-of-service (QoS) operations on the respective portions of the data in 
parallel using the plurality of processors in coordination with performing the security 
operations (paragraph 0009, lines 16-18, paragraph 0015, lines 3-7), wherein packets 
are ordered based on classification. 
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Claim 18 is rejected as applied above in rejecting claim 17. Furthermore, Blaker 
discloses: 

The method of claim 17, wherein the QoS operations performed by each of the 
processors comprise: 

identifying an information flow associated with the data (paragraph 0010, lines 1-9), 
wherein flow identifiers are assigned to related packets; 

determining a priority of the information flow (paragraph 0015, lines 1-7), wherein the 
output of the parallel processors can be controlled based on the flow identifier, and 

managing the transfer of data into and out of the memory based on the priority of the 
information flow associated with the data (paragraph 0015, lines 1-7), wherein the 
output of the parallel processors can be controlled based on the flow identifier. 

Claim 19 is rejected as applied above in rejecting claim 18. Furthermore, Blaker 
discloses: 

The method of claim 18, comprising: 

managing the information flow after transferring the operated-on portions of the data 
associated with the information flow out of the memory (paragraph 0039, lines 1-12), 
wherein related packets are classified in a flow and are classified as either inbound or 
outbound packets; 
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enforcing policies of the information flow associated with the data (paragraph 0057, 
lines 1-12), wherein an output admission policy is used to output packets; and 

providing statistics related to the transfer of the data into and out of the memory and the 
enforcing of policies of the information flow (paragraph 0015, lines 1-7), wherein the 
output of the parallel processors can be controlled based on the flow identifier. 

Claim 20 is rejected as applied above in rejecting claim 13. Furthermore, Blaker 
discloses: 

The method of claim 13, comprising: 

compressing the respective portions of the data prior to performing the security 
operations when the portions are non-secure data (paragraph 0037, lines 27-36), 
compression processor; and 

decompressing the respective portions of the data after performing the security 
operations when the portions are secure data (paragraph 0037, lines 27-36), 
compression processor. 

Claim 21 is rejected as applied above in rejecting claim 13. Furthermore, Blaker 
discloses: 

The method of claim 13, comprising: 

using each security processor to assist the respective processor in compressing and 
decompressing the portions of the data (paragraph 0037, lines 27-36), compression 
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Regarding claim 22, Blaker discloses: 

A computer readable medium containing a computer program for performing 
security operations on network data, wherein the computer program comprises 
executable instructions for: 

transferring data into memory (paragraph 0042, lines 1-7: crypto-input demux 
and crypto-output demux); 

performing security operations on respective portions of the data in parallel using a 
plurality of processors (paragraph 0037, lines 12-23, paragraph 45, lines 5-7: plurality 
of cryptographic processors in parallel); 

using a plurality of security coprocessors to assist in performing the security operations 
on the respective portions of the data, each security coprocessor being coupled to a 
respective one of the processors processors (paragraph 0037, lines 1-20), wherein the 
crypto-units (cryptographic processors) are used to help carry out the cryptographic 
operations; and 

transferring the operated-on portions of the data out of the memory (paragraph 0042, 
lines 1 -7: crypto-input demux and crypto-output demux). 

Blaker does not explicitly disclose a plurality of security coprocessors coupled to 
the memory each security coprocessor being coupled to a respective one of the, 
processors and configured to assist the respective processor in performing security 
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operations on the portion of the data, wherein assistance for the respective processor 
comprises execution of at least one algorithm of the at least one security protocol. 
Blaker discloses a plurality of crypto-units (Blaker: paragraph 0043), which perform 
cryptographic operations on the packets transforming the packets in accordance with 
protocols such as IPsec or SSL (Blaker: paragraph 0045). However, Blaker is silent on 
a plurality of security coprocessors coupled to each of these processors. Grohoski 
teaches cryptographic coprocessors which are coupled to the processors which aid in 
the cryptographic processing of a flow by processing packets in parallel (Grohoski: 
paragraphs 0019, 0020). The multiple crypto-units of Blaker could be interpreted as 
one or more processors as is done in Grohoski (Grohoski: paragraph 0022), and each 
of the these processors can be coupled to a security coprocessor which could include 
one or more crypto-units (Grohoski: paragraph 0022). It would have been obvious to 
one of ordinary skill in the art to use the security co-processor of Grohoski in the system 
of Blaker "to provide improved communication efficiency between the CPU and the 
crypto-coprocessor" (Grohoski: paragraph 0014). 

Claim 23 is rejected as applied above in rejecting claim 22. Furthermore, Blaker 
discloses: 

The computer readable medium of claim 22, wherein the instructions for performing 
security operations on respective portions of the data in parallel using a plurality of 
processors comprise executable instructions for: 
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identifying a security association related to a portion of the data (paragraph 0042, lines 
9-13), wherein an IPSec SPI is evaluated; 

filtering the portion of the data based on the identified security association (paragraph 
0042, lines 7-18), wherein the packets are placed in an order depending on the type of 
packet; 

dividing the portion of the data into fragments (paragraph 0044, lines 1-5), wherein data 
is broken up into related packet; 

reassembling the fragments into the portion of data (paragraph 0044, lines 1-5); and 

identifying a sequence associated with the portion of the data (paragraph 9, lines 8-15), 
wherein a sequence identifier is assigned to each packet which determines the order of 
related packets. 

Claim 26 is rejected as applied above in rejecting claim 22. Furthermore, Blaker 
discloses: 

The computer readable medium of claim 22, wherein the computer program comprises 
executable instructions for: 

performing quality-of-service (QoS) operations on the respective portions of the data in 
parallel using the plurality of processors in coordination with performing the security 
operations (paragraph 0009, lines 16-18, paragraph 0015, lines 3-7), wherein packets 
are ordered based on classification. 
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Claim 27 is rejected as applied above in rejecting claim 26. Furthermore, Blaker 
discloses: 

The computer readable medium of claim 26, wherein the instructions for performing 
QoS operations on the respective portions of the data in parallel using the plurality of 
processors in coordination with performing the security operations comprise executable 
instructions for: 

identifying an information flow associated with the data (paragraph 0010, lines 1-9), 
wherein flow identifiers are assigned to related packets; 

determining a priority of the information flow (paragraph 0015, lines 1-7), wherein the 
output of the parallel processors can be controlled based on the flow identifier, and 

managing the transfer of data into and out of the memory based on the priority of the 
information flow associated with the data (paragraph 0015, lines 1-7), wherein the 
output of the parallel processors can be controlled based on the flow identifier. 

Claim 28 is rejected as applied above in rejecting claim 27. Furthermore, Blaker 
discloses: 

The computer readable medium of claim 27, wherein the computer program comprises 
executable instructions for: 

managing the information flow after transferring the operated-on portions of the data 
associated with the information flow out of the memory (paragraph 0015, lines 1-7), 
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wherein the output of the parallel processors can be controlled based on the flow 
identifier, 

enforcing policies of the information flow associated with the data (paragraph 0057, 
lines 1 -1 2), wherein an output admission policy is used to output packets; and 

providing statistics related to the transfer of the data into and out of the memory and the 
enforcing of policies of the information flow. 

Claim 29 is rejected as applied above in rejecting claim 22. Furthermore, Blaker 
discloses: 

The computer readable medium of claim 22, wherein the computer program comprises 
executable instructions for: 

compressing the respective portions of the data prior to performing the security 
operations when the portions are non-secure data (paragraph 0037, lines 27-36), 
compression processor, and 

decompressing the respective portions of the data after performing the security 
operations when the portions are secure data (paragraph 0037, lines 27-36), 
compression processor. 

Claim 3, 15 and 24 are rejected as applied above in rejecting claims 1,13, and 22, 
respectively. Furthermore, Blaker discloses: 
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logic configured to establish a security association related to the portion of the data, 
wherein the security association includes information used to obscure and decipher the 
portion and to determine the integrity of the portion (paragraph 0037, lines 1-7), wherein 
the packets can be subject to encrypting and decrypting per IPSec (security 
associations) or SSL. 

Blaker does not explicitly disclose that there is logic to obscure or decipher a 
portion of the data depending on if the data is secure or non-secure. Grohoski 
discloses a system wherein a cryptographic co-processor and a CPU (external memory) 
communicate to process packets and subject the packet to encryption (obscure) or 
decryption (decipher) using information from a control word and whether the received 
packet was encrypted or decrypted (Grohoski: paragraph 0058, line 6 - paragraph 
0060, line 4). Blaker and Grohoski are analogous arts as both use cryptographic co- 
processors to assist with the cryptographic processing of packets. Blaker already 
possesses the capability of identifying what type of packet is received (Blaker: 
paragraph 0037, lines 1-4) and it would have been obvious to use the control words to 
encrypt or decrypt the packet based on the type of packet is received. It would have 
been obvious to use the method of Grohoski in combination with Blaker so that the "one 
or more crypto units that are optimized to perform a selected encryption process" 
(Grohoski: paragraph 0022, lines 3-8). 

Claims 4, 16, and 25 are rejected as applied above in rejecting claim 1,13, and 22, 
respectively. Blaker does not explicitly disclose a search engine coprocessor coupled to 
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the memory and to the plurality of processors, the search engine coprocessor being 
configured to exchange control information between at least one of the memory and 
external system memory and each of the plurality of processors for use in performing 
security operations on the data. Grohoski discloses a system wherein a cryptographic 
co-processor and a CPU (external memory) communicate to process packets and 
subject the packet to encryption (obscure) or decryption (decipher) using information 
from a control word and whether the received packet was encrypted or decrypted 
(Grohoski: paragraph 0058, line 6 - paragraph 0060, line 4). Blaker and Grohoski are 
analogous arts as both use cryptographic co-processors to assist with the cryptographic 
processing of packets. Blaker already possesses the capability of identifying what type 
of packet is received (Blaker: paragraph 0037, lines 1-4) and it would have been 
obvious to use the control words to encrypt or decrypt the packet based on the type of 
packet is received. It would have been obvious to use the method of Grohoski in 
combination with Blaker so that the "one or more crypto units that are optimized to 
perform a selected encryption process" (Grohoski: paragraph 0022, lines 3-8). 

Claim 5 is rejected as applied above in rejecting claim 4. Furthermore, Blaker 
discloses: 

The system of claim 4, comprising: a memory coprocessor coupled to the plurality of 
processors, the memory, and the external system memory, the memory coprocessor 
configured to determine a status of the memory and the external system memory 
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(paragraph 0040, lines 1-13), wherein the capacity of the queues in the crypto units are 
used so that packets are queued using a fairness scheme. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to KAVEH ABRISHAMKAR whose telephone number is 
(571)272-3786. The examiner can normally be reached on Monday thru Friday 8-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Kaveh Abrishamkar/ 
Examiner, Art Unit 2131 

IK. A./ 
06/05/2008 

Examiner, Art Unit 2131 
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